systembc | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 12:17

Target

8850b7c96abf365df3fd542cb17755c5.exe
Size

322KB
MD5

8850b7c96abf365df3fd542cb17755c5
SHA1

90e77265727ab091e9ee48e82df170b8929998b4
SHA256

cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
SHA512

d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933
SSDEEP

3072:cV8upnowD9Ec5Mk36eiPdBCG6hDuiBwMASzkazLz/o5tYVggjcGkNIVqIZ:K8upD2ny0PR6hDuKZzkaHzgi7ITsq4

Score

10^/10

systembc trojan

Family

systembc

45.15.156.48:4254

146.70.53.169:4254

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

8850b7c96abf365df3fd542cb17755c5.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	8850b7c96abf365df3fd542cb17755c5.exe
File opened for modification	C:\Windows\Tasks\wow64.job	8850b7c96abf365df3fd542cb17755c5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 644 wrote to memory of 584	644	taskeng.exe	8850b7c96abf365df3fd542cb17755c5.exe
PID 644 wrote to memory of 584	644	taskeng.exe	8850b7c96abf365df3fd542cb17755c5.exe
PID 644 wrote to memory of 584	644	taskeng.exe	8850b7c96abf365df3fd542cb17755c5.exe
PID 644 wrote to memory of 584	644	taskeng.exe	8850b7c96abf365df3fd542cb17755c5.exe

C:\Users\Admin\AppData\Local\Temp\8850b7c96abf365df3fd542cb17755c5.exe
"C:\Users\Admin\AppData\Local\Temp\8850b7c96abf365df3fd542cb17755c5.exe"
1⤵
- Drops file in Windows directory
PID:2016

C:\Windows\system32\taskeng.exe
taskeng.exe {BB91848E-F31F-471B-8947-76F3CBFF86ED} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\8850b7c96abf365df3fd542cb17755c5.exe
C:\Users\Admin\AppData\Local\Temp\8850b7c96abf365df3fd542cb17755c5.exe start
2⤵
PID:584

memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/584-60-0x00000000002CB000-0x00000000002E1000-memory.dmp

Filesize
88KB

Download
memory/584-61-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download
memory/584-62-0x00000000002CB000-0x00000000002E1000-memory.dmp

Filesize
88KB

Download
memory/2016-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/2016-55-0x0000000002DCB000-0x0000000002DE1000-memory.dmp

Filesize
88KB

Download
memory/2016-57-0x0000000000400000-0x0000000002C3E000-memory.dmp

Filesize
40.2MB

Download